Leonardo Tegon
fb48336709
Merge pull request #5043 from maestrano/increment-failed-attempts-concurency
...
Backport CVE-2019-5421 fix to 3.x
2019-03-26 11:33:35 -03:00
Olivier Brisse
36690f33a4
Make #increment_failed_attempts concurrency safe
...
Backported from https://github.com/plataformatec/devise/pull/4996
2019-03-15 09:54:25 +11:00
Rafael França
bddf051bfb
Merge pull request #4749 from chrisb/3-stable-ruby-2.5
...
Backport Ruby 2.5.0 syntax fixes to 3-stable
2018-01-09 13:07:35 -05:00
Pat Allan
53957d921b
Fix syntax for MRI 2.5.0-preview1.
2017-12-28 10:56:17 -08:00
Lucas Mazza
a0af72edfd
Merge pull request #4117 from kamipo/patch-1
...
Fix release date in 3-stable CHANGELOG.md
2016-05-17 10:06:18 -03:00
Ryuta Kamizono
05b87096bd
Fix release date in 3-stable CHANGELOG.md
2016-05-17 21:58:54 +09:00
Ulisses Almeida
321fe1d13b
Release 3.5.10
2016-05-15 12:14:04 -03:00
Ralin Chimev
a7dcf98f7e
Fix overwriting the remember_token when a valid one already exists ( #4101 )
...
The remember_token should not get overwritten when a user is
signing in and a valid token already exists.
Fixes #3950 .
2016-05-15 12:12:48 -03:00
Ulisses Almeida
7e658a2abf
Release 3.5.9
2016-05-02 23:47:19 -03:00
Justin Bull
0252f0e4a8
Extract list of both strategies into class constant
2016-05-02 23:46:18 -03:00
Justin Bull
07e907ec26
🪲 Fix strategy checking in #unlock_strategy_enabled? for :none and undefined strategies
...
A bug that if the unlock strategy was set to `:both`, it would return true for all & any inputs
See #4072
2016-05-02 23:46:08 -03:00
Ulisses Almeida
e9ed3e2cb4
Support for older rails versions.
2016-04-25 18:44:11 -03:00
Ulisses Almeida
2fa6735462
Lock mime-types to ~> 2.99
...
If we update mime-types to 3 or greater, it does not
works with ruby 1.9.3.
2016-04-25 18:14:12 -03:00
Ulisses Almeida
b8cddc3cf3
Release 3.5.8
2016-04-25 16:57:28 -03:00
MatBi
1d57169c7b
Send confirmation instructions when a user updates the email address from nil
2016-04-25 16:51:40 -03:00
Ulisses Almeida
812c1de8e8
Release 3.5.7 version.
2016-04-18 11:57:22 -03:00
Ulisses Almeida
a0f266c584
📝 Update CHANGELOG
2016-04-18 11:48:18 -03:00
Ulisses Almeida
ad99bfe6ef
Fix remember me always extending the period
...
Now the config `extend_remember_period` is used to:
`true` - Every time the user authentication is validated, the
cookie expiration is updated.
`false` - Does not updates the cookie expiration.
Closes #3994
2016-04-18 11:47:56 -03:00
Lucas Mazza
89931ed533
Release 3.5.6.
2016-02-01 09:09:55 -02:00
Lucas Mazza
57fdae1e48
Attempt to coerce the generated_at cookie to a Time object.
...
Time objects aren't properly coerced back when using the JSON cookie serialization,
so we need to do it ourselves.
To avoid any new JSON serialization issues, we now store the `generated_at` as
an String with the timestamp seconds + miliseconds in the cookie but still the
previous JSON encoded format.
Thanks to @boblail at https://github.com/plataformatec/devise/pull/3917 for the
initial patch.
2016-01-31 16:25:10 -02:00
Lucas Mazza
30e494580c
Refactor Rememberable.serialized_in_cookie? to split class/instance API.
...
We now expose a `remember_me?` instance method as internal API for the controller
layer check if the remember me cookie is still valid.
2016-01-27 14:45:14 -02:00
José Valim
048d05a553
Ensure generated_at is a Time
2016-01-25 11:17:05 +01:00
José Valim
8cbdeb54a5
Release v3.5.5
2016-01-22 20:22:34 +01:00
José Valim
14affc8a55
Do not timeout if remember me is enabled
2016-01-22 16:18:57 +01:00
José Valim
eb0f0b662f
Readd remember_expired?
2016-01-22 15:57:57 +01:00
José Valim
1516a0ae6d
Release v3.5.4
2016-01-18 15:12:07 +01:00
José Valim
c92996646a
Store creation timestamp on remember cookies
...
Signed-off-by: José Valim <jose.valim@plataformatec.com.br >
2016-01-18 14:47:31 +01:00
Kacper Walanus
ba5dd0a41a
test for save in after_create hook breaks devise confirmation [3787]
2015-12-15 11:41:48 -02:00
Christian Macias
f63be5039a
changed email_was !='' to email_was.present?
2015-12-15 11:41:33 -02:00
Christian Macias
f25562fd4b
fix for #3787 , save in after_create hook breaks devise confirmation
2015-12-15 11:41:33 -02:00
Siva Gollapalli
2a2fd806a8
FIX# Comparing times in UTC
2015-12-15 11:40:59 -02:00
Lucas Mazza
032eb145df
Release 3.5.3.
2015-12-10 14:36:34 -02:00
José Valim
0d941b7ba5
Merge pull request #3847 from stanhu/reset-token-only-on-update
...
Only clear the reset token on an update
2015-12-09 20:28:06 +01:00
Stan Hu
f71d843f93
Only clear the reset token on an update
...
This solves the issue where a package might do:
```
user = User.new
user.email = 'test@test.com '
token = user.generate_reset_token
user.save
send_reset_email(token)
```
Since the save clears the reset token, the user will receive a stale token that no longer works.
Closes #3774
2015-12-09 11:14:50 -08:00
Lucas Mazza
7d825c93b6
Update CHANGELOG [ci skip].
2015-12-09 13:53:29 -02:00
José Valim
19b1e2a6bc
Merge pull request #3846 from seddy/make_email_optional_on_recoverable
...
Allow resources with no email field to be recoverable
2015-12-09 14:39:32 +01:00
José Valim
901919f25f
Revert "Merge pull request #3774 from stanhu/reset-token-only-if-not-persisted"
...
This reverts commit 15c38d918f508c3418f9
2015-12-09 14:21:09 +01:00
Lucas Mazza
15c38d918f
Merge pull request #3774 from stanhu/reset-token-only-if-not-persisted
...
Only clear the reset password token if the model has already been persisted
2015-12-09 10:54:36 -02:00
Lucas Mazza
508c3418f9
Merge pull request #3826 from andygeers/master
...
Don't error if resource doesn't need confirming
2015-12-09 10:52:35 -02:00
Ed Saunders
d98e98fe77
Add a test for when a recoverable resource has a non-AR email field
2015-12-08 16:01:39 +00:00
Ed Saunders
4a45eb9899
Allow resources with no email field to be recoverable
...
The current implementation is opinionated about the resource should have
an "email" column on it if it is to be recoverable, which isn't
necessarily the case. For example, developers may decide to pull emails
out into their own model or have some other way of communicating
password resets to their users (e.g. text message)
I'm not sure there's an easy test to put together for this case, as
minitest doesn't make it very easy to stub the "email_changed?" to raise
an error. Happy to look into building another model in the
"test/rails_app" if you want to have this properly tested though? Or for
a nice way to get calls to "email_changed?" to raise; minitest isn't
a test framework I'm overly familiar with :).
As a side note, it would be nice if the Validatable module also took
this into account, I may raise another PR for that.
This comes off the back of comments on this commit:
e641b4b7b9
2015-12-07 17:01:31 +00:00
José Valim
45fc964470
Merge pull request #3739 from stanhu/support-relative-urls-in-failure-app
...
Account for relative_url_root in FailureApp's recall method
2015-11-25 20:03:28 +01:00
Stan Hu
56fed052f8
Wrap logic for resetting token into instance method and add comments
2015-11-24 23:23:34 -08:00
Andy Geers
d3f521925e
Write unit test for bug fix
2015-11-18 22:21:03 +00:00
Andy Geers
8a8887ea82
Don't error if resource doesn't need confirming
2015-11-18 22:21:03 +00:00
José Valim
d22ac4a4fb
Merge pull request #3813 from jlerpscher/set-minimum-password-length-on-failure
...
set minimum password length on reset failure
2015-11-10 09:37:59 -02:00
Julien Lerpscher
8426b12550
set minimum password length on reset failure
2015-11-10 12:17:29 +01:00
José Valim
57bf362b55
Merge pull request #3808 from blase/skip-timeoutable
...
Allow skipping the timeoutable hook
2015-11-04 18:15:03 -02:00
José Valim
18a8260535
Merge pull request #3805 from robuye/master
...
Remove outdated example from documentation
2015-11-04 00:48:35 -02:00
Błażej Pankowiak
9f32f421a5
Allow skipping the timeoutable hook
2015-11-02 23:53:09 +01:00
